Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kareniel/awesome-ctf-challenge-design

🕶 Design fun and insightful CTF challenges
https://github.com/kareniel/awesome-ctf-challenge-design

List: awesome-ctf-challenge-design

awesome awesome-list ctf game-design infosec security wargame

Last synced: 21 days ago
JSON representation

🕶 Design fun and insightful CTF challenges

Awesome Lists containing this project

README 

        
# Awesome CTF Challenge Design [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)



Resources to help you design security CTF and wargame challenges.



## Contents



- [General](#general)

- [Approaches & Specific Designs](#approaches--specific-designs)

- [Engineering](#engineering)

- [Game/Puzzle Design](#gamepuzzle-design)

- [Learning, Curiosity & Gamification](#learning-curiosity--gamification)

- [Running Events](#running-events)

- [Weird Machines & Esolangs](#weird-machines--esolangs)

- [Escape Rooms & Puzzle Hunts](#escape-rooms--puzzle-hunts)

- [Mario Maker Troll Levels](#mario-maker-troll-levels)

- [Finding Challenge Ideas](#finding-challenge-ideas)



## General



- [The Many Maxims of Maximally Effective CTFs](https://web.archive.org/web/20201212081922/https://captf.com/maxims.html) - Some important maxims to live out when making a CTF.

- [What makes a programming exercise good?](https://jvns.ca/blog/2019/11/20/what-makes-a-programming-exercise-good/) (Blog post) - Blog post from Julia Evans.

- [CTF Design Guidelines](https://bit.ly/ctf-design) - Design guidelines for CTF authors and organizers



## Approaches & Specific Designs



- [Hit ’em Where it Hurts](https://seclab.bu.edu/people/gianluca/papers/ctf-acsac2011.pdf) (PDF) - A paper presenting the design of a novel kind of live security competition centered on the concept of Cyber Situational Awareness.

- [A Serious Game for Eliciting Social Engineering Security Requirements](https://mediatum.ub.tum.de/doc/1328974/1328974.pdf) (PDF) - A card game which all employees of a company can play to understand threats and document security requirements.

- [Collection Deck](https://www.thegamecrafter.com/games/collection-deck1) (Website) - A training game designed by the CIA to teach employees about various collection capabilities.

- [A “Divergent”-themed CTF and Urban Race for Introducing Security and Cryptography](https://www.usenix.org/conference/ase16/workshop-program/presentation/feng) (PDF) - A set of CTF exercises and a physical activity based on an urban race, both of which are tied into a fictional story that students act out. 

- [Teaching Network Security Through Live Exercises](https://ictf.cs.ucsb.edu/pdfs/2003_WISE_iCTF.pdf) (PDF) - This paper describes a series of live exercises that have been used in a graduate-level Computer Science course on network security.

- [ARE CTF CREATORS EVIL?! - A Conversation around realworld CTF's with Adam Langley](https://www.youtube.com/watch?v=8ontlr9qY4Y) (Video) - Conversartion session between STĂ–K and Adam Langley

- [OOO DEF CON CTF finals infrastructure code](https://github.com/o-o-overflow/dcf-game-infrastructure-public) - All the game components necessary to run an Attack-Defense CTF that OOO used from 2018-2021



## Engineering



- [AutoCTF - Creating Diverse Pwnables via Automated Bug Injection](https://rode0day.mit.edu/static/autoctf.pdf) (PDF) - Making CTFs cheap and reusable by extending a bug injection system to add exploitable vulnerabilities, enabling rapid generation of new CTF challenges.

- [Security Scenario Generator (SecGen)](https://www.usenix.org/system/files/conference/ase17/ase17_paper_schreuders.pdf) (PDF) - A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events

- [Hackerbot](https://www.usenix.org/system/files/conference/ase18/ase18_hackerbot.pdf) (PDF) - Attacker Chatbots for Randomised and Interactive Security Labs, Using SecGen and oVirt



## Game/Puzzle Design



- [The Secrets of Puzzle Design](https://www.youtube.com/watch?v=hCOHjTX4GYE) (Video) - How Game Designers Explore Ideas and Themes with Puzzles and Problems.

- [The Puzzle Instinct](https://www.amazon.com/Puzzle-Instinct-Meaning-Puzzles-Human/dp/0253217083) (Book)

- [Designing the Puzzle](http://www.lucasstyle.com/tutorials/Designing_The_Puzzle.pdf) (PDF) - Bob Bates's short paper on puzzle taxonomy and how to distinguish a good from a bad puzzle.

- [How to make a good puzzle](https://www.gamasutra.com/blogs/TomHermans/20180829/325469/How_to_make_a_good_puzzle__An_explorable_explanation.php) (Article) - An explorable explanation on how to make a puzzle that's fun, and satisfying to solve.

- [Empuzzlement](https://www.youtube.com/watch?v=Ul_ZfzfHRek) (Video) - Puzzle game designers talking about puzzles. Featuring: Jonathan Blow, Marc ten Bosch, and Droqen.

- [Design to Reveal the Nature of the Universe](https://www.youtube.com/watch?v=OGSeLSmOALU) (Video) - A talk from Jonathan Blow & Marc Ten Boch at IndieCade 2011.

- [Open-Ended Puzzle Design at Zachtronics](https://www.youtube.com/watch?v=U4uH1ynH3Rs) (Video) - Interview with Zach Barth on his studio's puzzle design process, from the initial foundation to the basic mechanics, to the way story is integrated. See also [Zach-like](https://zachtronics.itch.io/zach-like) (PDF) which is a book of behind-the-scenes design documents from Zachtronics.

- [Practical Creativity](https://www.youtube.com/watch?v=zyVTxGpEO30) (Video) - Raph Koster explains what science tells us about creativity, and offers practical straightforward steps that any game designer or developer can make use of in order to get more creative.



## Learning, Curiosity & Gamification 



- [Modeling and Designing for Key Elements of Curiosity: Risking Failure, Valuing Questions](http://www.digra.org/wp-content/uploads/digital-library/63_DIGRA2017_FP_To_Modelling_Curosity.pdf) (PDF) - This paper presents a design model of curiosity that articulates the relationship between uncertainty and curiosity and defines the role of failure and question-asking within that relationship.

- [A New Theoretical Framework for Curiosity for Learning in Social Contexts](http://www.justinecassell.com/publications/A%20New%20Theoretical%20Framework%20for%20Curiosity%20for%20Learning%20in%20Social%20Contexts.pdf) (PDF) -  This framework is a step towards designing learning technologies that can recognize and

evoke curiosity during learning in social contexts.

- [Curious Minds Wonder Alike](https://zhenbai.io/wp-content/uploads/2018/08/Sinha_Bai_Cassell_EC-TEL_Curious_Minds_Wonder_Alike.pdf) (PDF) - A paper that identifies fine-grained social scaffolding of curiosity in child-child interaction, and proposes how they can be used to elicit and maintain curiosity in technology-enhanced learning environments.

- [Gamification for teaching and learning computer security in higher education](https://www.usenix.org/system/files/conference/ase16/ase16-paper-schreuders.pdf) (PDF) - A paper that presents the design and evaluation of a gamified computer security module, with a unique approach to assessed learning activities.



## Running Events



- [Learning Obstacles in the Capture The Flag Model](https://www.usenix.org/system/files/conference/3gse14/3gse14-chung.pdf) (PDF) - Insights and lessons learned from organizing CSAW CTF

- [Organizing Large Scale Hacking Competitions](https://sites.cs.ucsb.edu/~vigna/publications/2010_childers_boe_cavallaro_cavedon_cova_egele_vigna_dimva10.pdf) (PDF) -  Two new competition designs, the challenges overcome, and the lessons learned, with the goal of providing useful guidelines to other educators who want to pursue the organization of similar events

- [Ten Years of iCTF - The Good, The Bad, and The Ugly](https://www.usenix.org/conference/3gse14/summit-program/presentation/vigna) (Video) - There is also [a paper about this](https://www.researchgate.net/publication/278724640_Ten_Years_of_iCTF_The_Good_The_Bad_and_The_Ugly).

- [Suggestions for running a CTF](https://github.com/pwning/docs/blob/master/suggestions-for-running-a-ctf.markdown) - Describes some of the design decisions and technical details involved in running a CTF competition.



## Weird Machines & Esolangs



- [What are Weird Machines?](https://www.cs.dartmouth.edu/~sergey/wm/) (Website) - A TLDR about the concept of Weird Machines.

- [Abadidea's Index of Weird Machines in Video Games](https://gist.github.com/0xabad1dea/7740977) (Gist) - List of intentional gameplay features which may be used as weird machines, and exploit-based machines which can be triggered by ordinary player input.

- [What Hacker Research Taught Me](https://www.youtube.com/watch?v=Dd9UtHalRDs) (Video) - Sergey Bratus' keynote at the TROOPERS 2010 conference. You can [find the slides here](https://www.cs.dartmouth.edu/~sergey/hc/rss-hacker-research.pdf).

- [The Science of Insecurity](https://www.youtube.com/watch?v=3kEfedtQVOY) (Video) - Meredith L. Patterson's talk at 28c3. Draws a direct connection between ubiquitous insecurity and computer science concepts of Turing completeness and theory of languages

- [Computer Architecture: A Minimalist Perspective](https://www.amazon.ca/Computer-Architecture-Perspective-International-Engineering/dp/1402074166) (Book) - Examines computer architecture, computability theory, and the history of computers from the perspective of one instruction set computing.

- [Esoteric.Codes](https://esoteric.codes) (Website) - Languages, platforms, and systems that break from the norms of computing



## Escape Rooms & Puzzle Hunts



- [A Model to Design Learning Escape Games: SEGAM](https://hal.archives-ouvertes.fr/hal-01744860/document) (PDF) - A methodology for designing "Serious Escape Games" for learning.

- [The joyful, perplexing world of puzzle hunts](https://www.youtube.com/watch?v=v4ly_-IIFCQ) - A TED talk by Alex Rosenthal about constructing puzzles and the MIT Mystery Hunt.

- [The art of creating an escape room](https://www.youtube.com/watch?v=0SH0agcMRuA) - Thijs Bosschert's talk at SHA2017 on how to create the best experience for the players, pitfalls and how to design puzzles and puzzle flows.



## Mario Maker Troll Levels



- [Trolling for Dummies](https://docs.google.com/document/d/13ZoqeblLs45HuEfTtsOrq6X0LAuEnA8nB721_doxE38) - A perpetual work in progress and that will continue to be updated as the community learns more about making good troll levels, and as new techniques are discovered.

- [Mario Maker 2 Multiplayer Troll Design](https://docs.google.com/document/d/1I4jMYEdHiVpmA0W4svEGnBsZ85VwOOpiIFaneuMkvRQ) - How to design a multiplayer troll that works and thrills the players and audiences.

- [Multiplayer Contraptions in Super Mario Maker 2](https://docs.google.com/document/d/1Onp9j3inEpg_xFFPRIhLcm1tqbaOByEs9w4KTSE7kF8) - This guide is about various contraptions related to the multiplayer modes. Some of them are to separate the mode. And others to determine the amount of players.

- [MulTROLLplayer Research Hub Tech Sheet](https://docs.google.com/document/d/1_UPHmcez5R4Qv0ZAMVRbWwYy1JjCRyeeJ0XtpROPI6Y) - A compilation of multiplayer tech, from totally obvious to glitchy jank.



## Finding Challenge Ideas



- [Search RFCs by "best current practice"](https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Number&sorting=DESC&page=All&pubstatus%5B%5D=Best%20Current%20Practice) - IETF RFCs have a status called "Best Current Practice". This page lets you filter them using that status.

- [CISA's catalog of "bad practice"](https://github.com/cisagov/bad-practices) - A catalog of bad practices that are exceptionally risky, especially in organizations supporting critical infrastructure or NCFs



## Footnotes



### See Also



Other Awesome Lists:



- [CTFs](https://github.com/apsdehal/awesome-ctf#readme)

- [Security](https://github.com/sbilly/awesome-security#readme)

- [AppSec](https://github.com/paragonie/awesome-appsec#readme)

- [Hacking](https://github.com/carpedm20/awesome-hacking#readme)

- [Web Security](https://github.com/qazbnm456/awesome-web-security#readme)